Thank you Justin. I'll try to reproduce the issue later. By the way, should I try another version of OpenJDK? For example OpenJDK 21 ?
вт, 16 сент. 2025 г., 22:58 Justin Bertram <[email protected]>: > > Has anyone experienced a similar situation where the connectionTimeout > is applied instead of the readTimeout in the LDAP authentication module? > > I've not seen this before, but I'm not a heavy user of the LDAPLoginModule. > For what it's worth, I can't recall any similar reports from other users. > > It's worth noting that the LDAPLoginModule delegates LDAP connectivity to > the underlying JVM, specifically com.sun.jndi.ldap.LdapCtxFactory. You can > see here [1] that the LDAPLoginModule sets the corresponding properties to > the appropriate values [2]. Therefore, if there is something getting mixed > up I think it's likely not happening in broker code. That said, looking > through the OpenJDK code for 17.0.15 [3] I don't see any obvious problems. > > > Justin > > [1] > > https://github.com/apache/activemq-artemis/blob/5729a7264b3296187bf844663fbec8bd1856c11b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java#L662 > [2] > > https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html#PROP > [3] https://github.com/openjdk/jdk/tree/jdk-17%2B15 > > On Tue, Sep 16, 2025 at 10:50 AM Alexander Milovidov <[email protected] > > > wrote: > > > Hi All, > > > > I have encountered an issue with the LDAP authentication module in Apache > > ActiveMQ Artemis. It appears that in some cases the connectionTimeout > value > > is being used instead of the configured readTimeout. > > > > Configuration of the LDAPLogin module: > > connectionTimeout = 500 ms - for faster failover to the next LDAP server. > > readTimeout = 5000 ms - as the LDAP server should not take longer to > > respond. > > > > With a connectionURL containing three LDAP servers, everything worked as > > expected. After switching to a single LDAP server (which is actually a > load > > balancer for all LDAP servers), I started seeing the following error > > messages in the logs, occurring approximately 1-7 times per hour: > > AMQ224084 Failed to open context > > javax.naming.NamingException: LDAP response read timed out, timeout used: > > 500 ms. > > > > The issue only started after switching from multiple LDAP servers to a > > single load-balanced LDAP endpoint. > > I have recorded and examined tcpdump. It looks like the broker breaks the > > connection with the LDAP server when it was connected and did not > receive a > > reply after 500 ms. > > After setting both timeouts to 5000 ms it seems to work fine. > > > > Has anyone experienced a similar situation where the connectionTimeout is > > applied instead of the readTimeout in the LDAP authentication module? > > > > Environment: ActiveMQ Artemis version 2.39.0, OpenJDK version 17.0.15, OS > > AlmaLinux 9. > > LDAP is Microsoft Active Directory. > > > > Any suggestions or insights would be greatly appreciated. > > > > Full stack trace: > > javax.naming.NamingException: LDAP response read timed out, timeout used: > > 500 ms. > > at > > > java.naming/com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129) > > ~[?:?] > > at > > java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:447) > > ~[?:?] > > at > > java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365) > > ~[?:?] > > at > > > java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > > ~[?:?] > > at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2896) > > ~[?:?] > > at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) > > ~[?:?] > > at > > > > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229) > > ~[?:?] > > at > > > > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) > > ~[?:?] > > at > > > > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247) > > ~[?:?] > > at > > > > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > > ~[?:?] > > at > > > > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > > ~[?:?] > > at > > > > > java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732) > > ~[?:?] > > at > > > > > java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > > ~[?:?] > > at > > java.naming/javax.naming.InitialContext.init(InitialContext.java:236) > > ~[?:?] > > at > > java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) > > ~[?:?] > > at > > > > > java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:130) > > ~[?:?] > > at > > > > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.lambda$openContext$3(LDAPLoginModule.java:711) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > > ~[?:?] > > at java.base/javax.security.auth.Subject.doAs(Subject.java:439) > ~[?:?] > > at > > > > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.openContext(LDAPLoginModule.java:711) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.resolveDN(LDAPLoginModule.java:345) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.authenticate(LDAPLoginModule.java:313) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(LDAPLoginModule.java:217) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) > > ~[?:?] > > at > > > > > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679) > > ~[?:?] > > at > > > > > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677) > > ~[?:?] > > at > > > > > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > > ~[?:?] > > at > > > > > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677) > > ~[?:?] > > at > > > > > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587) > > ~[?:?] > > at > > > > > org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:151) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:97) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:221) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.validateUser(ActiveMQServerImpl.java:1803) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:183) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.internalHandler(ActiveMQPacketHandler.java:106) > > ~[artemis-server-2.39.0.jar:2.39.0] > > at > org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32) > > ~[artemis-commons-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68) > > ~[artemis-commons-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:57) > > ~[artemis-commons-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:32) > > ~[artemis-commons-2.39.0.jar:2.39.0] > > at > > > > > org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68) > > ~[artemis-commons-2.39.0.jar:2.39.0] > > at > > > > > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) > > [?:?] > > at > > > > > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) > > [?:?] > > at > > > > > org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) > > [artemis-commons-2.39.0.jar:2.39.0] > > > > > > -- > > Regards, > > Alexander > > >
